Maybank Phishkit Analysis

Just couple of days ago, we discovered a certain Maybank Phishing kit that limits access to only IP address from Malaysia. The phishing kit is hosted in a server in the US. This is basically done via the .htaccess file.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

Directory ofC:\temp\xyz\xyz\m2u\abc

07/04/201112:43PM.

07/04/201112:43PM..

27/01/201101:12AM8,701HTACCE~1.htaccess

26/01/201103:44PM877acc.php

27/01/201104:51PM870favicon.jpg

15/01/201109:00AM16,372M2ULOG~1.PHPM2ULogin.do.php

26/08/201011:21AM14,745MAYBAN~1.PHPMaybanksecure.php

26/08/201011:50AM14,632RE-ACT~1.PHPre-activate.php

04/10/201012:44PM518SSLACT~1.PHPsslactivate.php

26/01/201103:41PM572SSLVER~1.PHPsslverify.php

27/07/201009:32PM2,530TACREQ~1.PHPtacrequested.php

26/01/201103:41PM543VALIDA~1.PHPvalidating.php

26/01/201103:41PM21,301VERIFY~1.PHPverifydetails.php

11File(s)81,661bytes

There is about 300 network addresses listed in the .htaccess file and makes other anti-phishing researchers think that site does not exit.

On another note, do make use of our DontPhishMe plugin for Firefox and Chrome!